Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 93263

Summary: hardened-sources: add SKAS patch (for user-mode-linux) and loop-AES patch
Product: Gentoo Linux Reporter: Sascha Silbe <sascha-gentoo-bugzilla>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED WONTFIX    
Severity: enhancement CC: correo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Sascha Silbe 2005-05-19 15:53:09 UTC 
It would be great if you could include the SKAS patch for UML (user mode 
linux) [1] and the POSIX capabilities CAP_INIT_INH_SET patch [2] in 
hardened-sources.

hardened-sources contains almost anything I need (vanilla + security patches) 
with nearly as few bloat as possible (the only major patch is grsecurity). If 
you'd include those two patches, I could stop maintaining my own kernel source.

The SKAS patch [1] is needed for UML to run in SKAS (Separate Kernel Address 
Space) mode which increases security and performance (see also [3]). It can 
be deactivated in the Kernel config.

The POSIX capabilities CAP_INIT_INH_SET patch is needed to use POSIX 
capabilities on a system with an unpatched SysV init (i.e. a normal Gentoo 
system). It sets the Inheritable flag for all capabilities of the init 
process (see also bug #5818). On a system not explicitly changing 
/proc/sys/kernel/cap-bound (and thus activating POSIX capabilities), this has 
no real effect. See [4,5] for more details.


[1] http://www.user-mode-linux.org/~blaisorblade/patches/skas3-2.6/skas-2.6.11-v8/skas-2.6.11-v8.patch.bz2
[2] ftp://ftp.silbe.org/linux/kernel/v2.6/linux-2.6.9-enable_caps.patch
[3] http://user-mode-linux.sourceforge.net/skas.html
[4] http://killa.net/infosec/caps/
[5] http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-05-03 07:19:10 UTC 
*** Bug 132124 has been marked as a duplicate of this bug. ***
Comment 2 Sascha Silbe 2006-06-28 09:09:01 UTC 
POSIX capabilities support has been added to sysvinit, so we don't need the kernel patch (linux-2.6.9-enable_caps.patch) anymore.
loop-AES [1] support would be great, though, since it's plugs several design mistakes of cryptoloop and dm-crypt (but still supports their on-disk formats, so it's nearly a drop-in replacement). The current stable sys-apps/util-linux will include loop-AES support instead of cryptoloop support unless you set USE=old-crypt, BTW.
There's already a loop-AES module ebuild in the tree, but it needs to be rebuilt every time the kernel is updated. Up to now I could save myself that hassle. There's no tool to do it automatically and at least for the those damned nvidia drivers on my workstation, I tend to forget it almost every time.

[1] http://loop-aes.sourceforge.net/loop-AES.README
Comment 3 solar (RETIRED) gentoo-dev 2006-06-28 11:29:07 UTC 
The chnaces of this being included in hardened-sources are slim.. Another unique set of sources would be more suited.
Comment 4 Christian Heim (RETIRED) gentoo-dev 2007-04-11 20:27:09 UTC 
(In reply to comment #3)
> The chnaces of this being included in hardened-sources are slim.. Another
> unique set of sources would be more suited.

I don't see a chance here either.